Headline
CVE-2022-2992: 2022/CVE-2022-2992.json · master · GitLab.org / cves · GitLab
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
🤖 GitLab Bot 🤖 authored Oct 17, 2022
Related news
GitLab GitHub Repo Import Deserialization Remote Code Execution
An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested default_branch. GitLab will cache this object and then deserialize it when trying to load a user session, resulting in remote code execution.